Renew the affected ESXi Host's SSL certificate

For self-signed certificates

Renew an ESXi host certificate using the vSphere UI directly to a host or on the vCenter Server:

1. Browse to the host in the vSphere Client inventory.
2. Click Configure.
3. Under System, click Certificate. You can view detailed information about the selected host's certificate.
4. Click Renew or Refresh CA Certificates
   Renew: Retrieves a fresh signed certificate for the host from VMCA.
   Refresh CA Certificates : Pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host.
   
5. Click Yes to confirm.

If you are unable to manage affected ESXi host from vCenter Server vSphere UI, renew ESXi host certificate using SSH session:

1. In a web browser, log in to the ESXi host using the VMware Host Client.
2. In the Actions menu, click Services > Enable Secure Shell (SSH).
3. Log in to the ESXi host using an SSH client such as Putty.
4. Regenerate the self-signed certificate by executing the following command:
   

   $ /sbin/generate-certificates

5. Restart the hostd and vpxa services by executing the following command:
   

   $ /etc/init.d/hostd restart && /etc/init.d/vpxa restart

6. Log back into the VMware Host Client and click Services > Disable Secure Shell (SSH) from the Actions menu.
7. Repeat the above steps for all remaining hosts.

For custom CA certificates see the knowledge base article at Configuring CA signed certificates for ESXi hosts